Data Protection Advisor: Spring Framework False Positive Security Vulnerability (CVE-2022-22950)
This article provides a list of security vulnerabilities that cannot be exploited on Data Protection Advisor versions-19.7,19.6,19.5,19.4,19.3,19.2,19.1,18.X or earlier, but which may be identified by security scanners.
Summary:
This article provides a list of security vulnerabilities that cannot be exploited on Data Protection Advisor versions-19.7,19.6,19.5,19.4,19.3,19.2,19.1,18.X or earlier, but which may
be identified by security scanners.
...
Article Content
Security Article Type
Security KB
CVE Identifier
CVE-2022-22950
Issue Summary
See the 'Recommendation' section below for details on each CVE.
Recommendations
The vulnerabilities listed in the table below are in order by the date on which Data Protection Advisor Engineering determined that the Data Protection Advisor versions 19.6,19.5,19.4,19.3,19.2,18.X were not vulnerable.
Third-party Component
CVE ID
Summary of Vulnerability
Reason why Product is not Vulnerable
Date Determined False Positive
Spring Framework versions 5.3.0 - 5.3.16
CVE-2022-22950
In Spring Framework versions 5.3.0 - 5.3.16 and earlier unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
DPA does not use affected SpEL expression class in the Source code.